bobs-workshop 0.3.3 → 3.1.0

package/src/skills/security/SKILL.md

@@ -0,0 +1,410 @@
+---
+name: security
+description: Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
+metadata:
+  recommended_for: bob-rev
+  category: security
+---
+
+# Security Skill
+
+> Think like an attacker, defend like an expert. 2025 threat landscape awareness.
+
+## 🔧 Runtime Scripts
+
+**Execute for automated validation:**
+
+| Script | Purpose | Usage |
+|--------|---------|-------|
+| `scripts/security_scan.py` | Validate security principles applied | `python scripts/security_scan.py <project_path>` |
+
+## 📋 Reference Files
+
+| File | Purpose |
+|------|---------|
+| [checklists.md](checklists.md) | OWASP Top 10, Auth, API, Data protection checklists |
+
+---
+
+## 1. Security Expert Mindset
+
+### Core Principles
+
+| Principle | Application |
+|-----------|-------------|
+| **Assume Breach** | Design as if attacker already inside |
+| **Zero Trust** | Never trust, always verify |
+| **Defense in Depth** | Multiple layers, no single point |
+| **Least Privilege** | Minimum required access only |
+| **Fail Secure** | On error, deny access |
+
+### Threat Modeling Questions
+
+Before scanning, ask:
+1. What are we protecting? (Assets)
+2. Who would attack? (Threat actors)
+3. How would they attack? (Attack vectors)
+4. What's the impact? (Business risk)
+
+---
+
+## 2. OWASP Top 10:2025
+
+### Risk Categories
+
+| Rank | Category | Think About |
+|------|----------|-------------|
+| **A01** | Broken Access Control | Who can access what? IDOR, SSRF |
+| **A02** | Security Misconfiguration | Defaults, headers, exposed services |
+| **A03** | Software Supply Chain 🆕 | Dependencies, CI/CD, build integrity |
+| **A04** | Cryptographic Failures | Weak crypto, exposed secrets |
+| **A05** | Injection | User input → system commands |
+| **A06** | Insecure Design | Flawed architecture |
+| **A07** | Authentication Failures | Session, credential management |
+| **A08** | Integrity Failures | Unsigned updates, tampered data |
+| **A09** | Logging & Alerting | Blind spots, no monitoring |
+| **A10** | Exceptional Conditions 🆕 | Error handling, fail-open states |
+
+### 2025 Key Changes
+
+```
+2021 → 2025 Shifts:
+├── SSRF merged into A01 (Access Control)
+├── A02 elevated (Cloud/Container configs)
+├── A03 NEW: Supply Chain (major focus)
+├── A10 NEW: Exceptional Conditions
+└── Focus shift: Root causes > Symptoms
+```
+
+---
+
+## 3. Supply Chain Security (A03)
+
+### Attack Surface
+
+| Vector | Risk | Question to Ask |
+|--------|------|-----------------|
+| **Dependencies** | Malicious packages | Do we audit new deps? |
+| **Lock files** | Integrity attacks | Are they committed? |
+| **Build pipeline** | CI/CD compromise | Who can modify? |
+| **Registry** | Typosquatting | Verified sources? |
+
+### Defense Principles
+
+- Verify package integrity (checksums)
+- Pin versions, audit updates
+- Use private registries for critical deps
+- Sign and verify artifacts
+
+---
+
+## 4. Attack Surface Mapping
+
+### What to Map
+
+| Category | Elements |
+|----------|----------|
+| **Entry Points** | APIs, forms, file uploads |
+| **Data Flows** | Input → Process → Output |
+| **Trust Boundaries** | Where auth/authz checked |
+| **Assets** | Secrets, PII, business data |
+
+### Prioritization Matrix
+
+```
+Risk = Likelihood × Impact
+
+High Impact + High Likelihood → CRITICAL
+High Impact + Low Likelihood  → HIGH
+Low Impact + High Likelihood  → MEDIUM
+Low Impact + Low Likelihood   → LOW
+```
+
+---
+
+## 5. Risk Prioritization
+
+### CVSS + Context
+
+| Factor | Weight | Question |
+|--------|--------|----------|
+| **CVSS Score** | Base severity | How severe is the vuln? |
+| **EPSS Score** | Exploit likelihood | Is it being exploited? |
+| **Asset Value** | Business context | What's at risk? |
+| **Exposure** | Attack surface | Internet-facing? |
+
+### Prioritization Decision Tree
+
+```
+Is it actively exploited (EPSS >0.5)?
+├── YES → CRITICAL: Immediate action
+└── NO → Check CVSS
+         ├── CVSS ≥9.0 → HIGH
+         ├── CVSS 7.0-8.9 → Consider asset value
+         └── CVSS <7.0 → Schedule for later
+```
+
+---
+
+## 6. Exceptional Conditions (A10 - New)
+
+### Fail-Open vs Fail-Closed
+
+| Scenario | Fail-Open (BAD) | Fail-Closed (GOOD) |
+|----------|-----------------|---------------------|
+| Auth error | Allow access | Deny access |
+| Parsing fails | Accept input | Reject input |
+| Timeout | Retry forever | Limit + abort |
+
+### What to Check
+
+- Exception handlers that catch-all and ignore
+- Missing error handling on security operations
+- Race conditions in auth/authz
+- Resource exhaustion scenarios
+
+---
+
+## 7. Scanning Methodology
+
+### Phase-Based Approach
+
+```
+1. RECONNAISSANCE
+   └── Understand the target
+       ├── Technology stack
+       ├── Entry points
+       └── Data flows
+
+2. DISCOVERY
+   └── Identify potential issues
+       ├── Configuration review
+       ├── Dependency analysis
+       └── Code pattern search
+
+3. ANALYSIS
+   └── Validate and prioritize
+       ├── False positive elimination
+       ├── Risk scoring
+       └── Attack chain mapping
+
+4. REPORTING
+   └── Actionable findings
+       ├── Clear reproduction steps
+       ├── Business impact
+       └── Remediation guidance
+```
+
+---
+
+## 8. Code Pattern Analysis
+
+### High-Risk Patterns
+
+| Pattern | Risk | Look For |
+|---------|------|----------|
+| **String concat in queries** | Injection | `"SELECT * FROM " + user_input` |
+| **Dynamic code execution** | RCE | `eval()`, `exec()`, `Function()` |
+| **Unsafe deserialization** | RCE | `pickle.loads()`, `unserialize()` |
+| **Path manipulation** | Traversal | User input in file paths |
+| **Disabled security** | Various | `verify=False`, `--insecure` |
+
+### Secret Patterns
+
+| Type | Indicators |
+|------|-----------|
+| API Keys | `api_key`, `apikey`, high entropy |
+| Tokens | `token`, `bearer`, `jwt` |
+| Credentials | `password`, `secret`, `key` |
+| Cloud | `AWS_`, `AZURE_`, `GCP_` prefixes |
+
+---
+
+## 9. Cloud Security Considerations
+
+### Shared Responsibility
+
+| Layer | You Own | Provider Owns |
+|-------|---------|---------------|
+| Data | ✅ | ❌ |
+| Application | ✅ | ❌ |
+| OS/Runtime | Depends | Depends |
+| Infrastructure | ❌ | ✅ |
+
+### Cloud-Specific Checks
+
+- IAM: Least privilege applied?
+- Storage: Public buckets?
+- Network: Security groups tightened?
+- Secrets: Using secrets manager?
+
+---
+
+## 10. Anti-Patterns
+
+| ❌ Don't | ✅ Do |
+|----------|-------|
+| Scan without understanding | Map attack surface first |
+| Alert on every CVE | Prioritize by exploitability + asset |
+| Ignore false positives | Maintain verified baseline |
+| Fix symptoms only | Address root causes |
+| Scan once before deploy | Continuous scanning |
+| Trust third-party deps blindly | Verify integrity, audit code |
+
+---
+
+## 11. Reporting Principles
+
+### Finding Structure
+
+Each finding should answer:
+1. **What?** - Clear vulnerability description
+2. **Where?** - Exact location (file, line, endpoint)
+3. **Why?** - Root cause explanation
+4. **Impact?** - Business consequence
+5. **How to fix?** - Specific remediation
+
+### Severity Classification
+
+| Severity | Criteria |
+|----------|----------|
+| **Critical** | RCE, auth bypass, mass data exposure |
+| **High** | Data exposure, privilege escalation |
+| **Medium** | Limited scope, requires conditions |
+| **Low** | Informational, best practice |
+
+---
+
+> **Remember:** Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"
+
+---
+
+## Bob's Workshop Integration
+
+This skill is used by **bob-rev (reviewer)** agent during VERIFY phase and **trace (debugger)** during FIX phase.
+
+### MANUAL Integration
+
+Add security section to MANUAL:
+```markdown
+## 🔍 Review Notes
+
+### Security Checklist
+
+#### OWASP Top 10:2025
+- [ ] **A01 Broken Access Control**: IDOR, SSRF, authorization checks
+- [ ] **A02 Security Misconfiguration**: Default credentials, exposed admin panels
+- [ ] **A03 Software Supply Chain**: Dependency audit, lock files, build integrity
+- [ ] **A04 Cryptographic Failures**: Weak encryption, hardcoded secrets
+- [ ] **A05 Injection**: SQL, NoSQL, command injection
+- [ ] **A06 Insecure Design**: Architectural flaws
+- [ ] **A07 Authentication Failures**: Session management, password policy
+- [ ] **A08 Integrity Failures**: Unsigned artifacts, tampered data
+- [ ] **A09 Logging & Alerting**: Security events, error handling
+- [ ] **A10 Exceptional Conditions**: Fail-closed, error handling, resource limits
+
+#### Attack Surface Mapping
+- [ ] Entry points identified (APIs, forms, uploads)
+- [ ] Data flows documented (input → process → output)
+- [ ] Trust boundaries mapped (auth/authz locations)
+- [ ] Assets cataloged (secrets, PII, business data)
+
+#### Supply Chain Security
+- [ ] Dependencies audited (npm audit, Snyk, etc.)
+- [ ] Lock files committed
+- [ ] CI/CD pipeline secured
+- [ ] Registry verified (npm, PyPI, etc.)
+
+#### Cloud Security (if applicable)
+- [ ] IAM: Least privilege applied
+- [ ] Storage: No public buckets
+- [ ] Network: Security groups tightened
+- [ ] Secrets: Using secrets manager (not hardcoded)
+
+### Security Findings
+
+| Severity | Finding | Location | Status |
+|----------|-----------|-----------|--------|
+| 🔴 CRITICAL | [Description] | [File:Line] | [Open/Resolved] |
+| 🟠 HIGH | [Description] | [File:Line] | [Open/Resolved] |
+| 🟡 MEDIUM | [Description] | [File:Line] | [Open/Resolved] |
+| 🟢 LOW | [Description] | [File:Line] | [Open/Resolved] |
+
+### Risk Prioritization
+
+| Finding | CVSS | EPSS | Asset Value | Priority |
+|----------|-------|-------|-------------|----------|
+| [Finding] | [Score] | [Score] | [High/Med/Low] | [P0/P1/P2] |
+
+### Review Decision (Security-Focused)
+
+#### PASS Conditions
+- No 🔴 CRITICAL issues
+- No 🟠 HIGH issues
+- Supply chain secure (dependencies audited)
+- No hardcoded secrets in code
+- Authentication and authorization properly implemented
+
+#### FAIL Conditions
+- Any 🔴 CRITICAL vulnerabilities
+- Unresolved 🟠 HIGH vulnerabilities
+- Hardcoded secrets/API keys found
+- Supply chain vulnerabilities present
+- Authentication bypass possible
+```
+
+### Handoff Format
+
+```markdown
+## 🤝 Agent Handoffs
+
+🤝 bob-rev: Security review complete - 0 critical, 2 medium
+🤝 bob-rev → trace: [FAIL - Security vulnerabilities found, please fix]
+🤝 bob-rev → bob-send: [PASS - Security checks passed]
+```
+
+### Debugging Integration
+
+When trace (debugger) investigates security issues:
+```markdown
+## 🔍 Debug Logs
+
+### Security Issue Analysis
+
+#### Issue Summary
+- **Finding ID:** [SEC-001]
+- **Severity:** [Critical/High/Medium/Low]
+- **Category:** [OWASP Category]
+
+#### Root Cause Analysis
+- **Vulnerability:** [Description]
+- **Location:** [File:Line]
+- **Root Cause:** [Why does this exist?]
+
+#### Attack Scenario
+1. [Attacker step 1]
+2. [Attacker step 2]
+3. [Impact: data theft/access breach]
+
+#### Fix Verification
+- [ ] Fix implemented
+- [ ] Vulnerability no longer exploitable
+- [ ] Similar code reviewed and fixed
+- [ ] Security test added
+```
+
+### Best Practices Reminder
+
+**When reviewing security:**
+- Always prioritize by exploitability + asset value
+- Don't just scan - understand the business context
+- Map attack surfaces before diving into code
+- Consider supply chain security (not just your code)
+- Think like an attacker: "What would I do?"
+
+**Common mistakes to avoid:**
+- Trusting third-party dependencies blindly
+- Ignoring error handling (fail-open vs fail-closed)
+- Hardcoding secrets in config files
+- Assuming user input is safe
+- Forgetting to revoke access/permissions

package/src/skills/simplification/SKILL.md

@@ -0,0 +1,238 @@
+---
+name: simplification
+description: "Optional polish pass for verified code. Simplifies without changing behavior. Use when: 'cleanup', 'polish', 'simplify', 'reduce complexity', 'dead code', 'refactor for clarity'. CRITICAL: Tests MUST pass after each change."
+---
+
+# Code Simplification Skill
+
+## When to Use
+
+Use this skill as an **optional polish pass** after code has been verified and reviewed. It's for simplification, not rewriting.
+
+**Good triggers**:
+- "Clean up this implementation"
+- "Remove unnecessary complexity"
+- "Polish before shipping"
+- "Simplify without changing behavior"
+
+**Bad triggers**:
+- "Rewrite this module" (too broad)
+- "Improve performance" (different goal)
+- "Add features" (wrong skill entirely)
+
+## Core Principle
+
+> "Preserve exact behavior. Tests MUST still pass after each change."
+
+You're not here to improve architecture. You're here to remove unnecessary complexity from **working code**.
+
+## Prerequisites (GATE)
+
+Before running this skill:
+
+1. **Code must be verified working** - Tests pass, lint clean
+2. **Human approved the polish pass** - Not automatic
+3. **All changes are committed** - Clean working directory
+
+**If any prerequisite fails, DO NOT PROCEED.**
+
+## The Simplification Process
+
+**One change at a time. Test after each. Revert on failure.**
+
+```
+1. Read implementation
+   └─► Identify ONE simplification opportunity
+
+2. Make the change
+   └─► Use edit tool (not complete rewrite)
+
+3. Run tests
+   └─► npm test | pytest | cargo test
+
+4. Tests pass?
+   ├─► Yes: Record change, continue to step 1
+   └─► No: Revert change, try different simplification
+
+5. Repeat until:
+   ├─► No more improvements found, OR
+   ├─► 3 passes complete, OR
+   └─► 3 consecutive failures (THREE-STRIKE RULE)
+```
+
+## Simplification Targets
+
+| Target | Action | Example |
+|--------|--------|---------|
+| Single-use helper | Inline it | `getUser()` called once → inline the query |
+| Dead code | Delete it | Unused function → remove entirely |
+| Unclear name | Rename it | `x` → `connectionPool` |
+| Deep nesting | Flatten it | if/if/if → early returns |
+| Redundant wrapper | Remove it | Class that just wraps another class |
+| Unnecessary abstraction | Inline it | Factory that creates one type |
+
+### Single-Use Helper Detection
+
+```typescript
+// BEFORE: Helper used once
+function formatUserName(user: User): string {
+  return `${user.firstName} ${user.lastName}`;
+}
+
+function displayUser(user: User) {
+  console.log(formatUserName(user)); // Only usage
+}
+
+// AFTER: Inlined
+function displayUser(user: User) {
+  console.log(`${user.firstName} ${user.lastName}`);
+}
+```
+
+### Flatten Nesting
+
+```typescript
+// BEFORE: Deep nesting
+function process(data: Data) {
+  if (data) {
+    if (data.valid) {
+      if (data.items.length > 0) {
+        return transform(data.items);
+      }
+    }
+  }
+  return null;
+}
+
+// AFTER: Early returns
+function process(data: Data) {
+  if (!data) return null;
+  if (!data.valid) return null;
+  if (data.items.length === 0) return null;
+  return transform(data.items);
+}
+```
+
+## Red Flags — DON'T Simplify These
+
+| Pattern | Risk |
+|---------|------|
+| Helper with `console.log` | Side effect will be lost |
+| Helper with `await` | Timing may change |
+| Helper with global mutation | Side effect will be lost |
+| Helper with event emission | Subscribers may break |
+| Code used via reflection | Static analysis misses it |
+| Code in hot path | Performance may degrade |
+
+**If in doubt, don't simplify it.**
+
+## Three-Strike Rule
+
+After 3 consecutive failed simplifications, **STOP**:
+
+```
+Simplification 1 → Tests fail → Revert
+Simplification 2 → Tests fail → Revert
+Simplification 3 → Tests fail → Revert
+STOP: Code is more fragile than expected
+```
+
+**Report this clearly. Don't keep trying.**
+
+## Rollback Procedure
+
+If tests fail after a change:
+
+```bash
+# Revert the specific file
+git checkout -- path/to/modified/file.ts
+
+# Or revert all unstaged changes
+git checkout -- .
+```
+
+**Record the failure** for the report.
+
+## Running Tests
+
+After EVERY change, run tests:
+
+```bash
+# Detect test command
+if [ -f "package.json" ]; then
+  npm test
+elif [ -f "pytest.ini" ] || [ -f "pyproject.toml" ]; then
+  pytest
+elif [ -f "Cargo.toml" ]; then
+  cargo test
+fi
+```
+
+**Test timeout**: 2 minutes. If tests hang, revert and skip this simplification.
+
+## Forbidden Changes
+
+| Forbidden | Why |
+|-----------|-----|
+| Add features | Scope creep |
+| Change public APIs | Breaks consumers |
+| Refactor unrelated code | Stay focused |
+| Subjective style changes | Not simplification |
+| "Improve" clear code | If it works and is clear, leave it |
+
+## Output Format
+
+Document all changes made:
+
+```markdown
+## Simplification Report
+
+**Started**: [Timestamp]
+**Completed**: [Timestamp]
+
+### Changes Made
+1. **[file:line]** - Inlined single-use helper `formatDate()`
+   - Lines removed: 8
+   - Lines added: 2
+
+2. **[file:line]** - Removed unused function `legacyAuth()`
+   - Lines removed: 15
+   - Lines added: 0
+
+### Changes Reverted
+1. **[file:line]** - Attempted to flatten query builder conditionals
+   - Reason: Test 'db.handles-concurrent' failed
+   - Reverted: ✓
+
+### Summary
+- Simplifications made: 2
+- Simplifications reverted: 1
+- Passes completed: 2
+- Tests still pass: ✓
+- Net lines: -21
+```
+
+## Quality Over Quantity
+
+**A good polish pass might change nothing.**
+
+If the code is already simple and clear:
+- Report "No simplifications needed"
+- This is a valid outcome
+- Don't force changes for the sake of it
+
+## Anti-Patterns
+
+**Don't do these:**
+
+- Making changes without testing
+- Batch-changing multiple files at once
+- Subjective "this would be cleaner" changes
+- Ignoring test failures
+- Continuing after 3 consecutive failures
+- Simplifying code you don't understand
+- Removing "unused" code without checking for dynamic access
+
+---
+
+**Remember**: This is a POLISH pass, not a rewrite. Preserve behavior. Test constantly. Stop when the code is clean or when you hit resistance.